If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

In the aforementioned thread Tiger Shark talked in depth about why he is opposed. I have gotten similar remarks from Marcus Ranum to the effect that if you don't have the knowledge and skill set to provide your own security you also don't have the knowledge and skill set to evaluate and select a provider so you're damned if you do and damned if you don't.

Still, for some services and some companies I don't know if its fair to lump everything and every service together and say they're all bad. CERT has an extensive document detailing the benefits and risks of outsourcing security and including in depth practices to help guide the whole process. You can find that here: Outsourcing Managed Security Services

So- lets have some more discussion. Is outsourcing good? bad? what are the pros and cons, risks and benefits, caveats and pitfalls???

Outsourcing my security makes me want to run to a corner curl up in a ball, pull my ears and wait for the explosion. I am opposed to the idea of outsourcing security.

Here is my opposition:

The more people that dabble in your network (as admins or superusers) the more trouble you are asking for. I am weary of any company wanting to provide security solutions for my company. Our company has highly critical information and it would be a devastation if it fell into the wrong hands not just for the company but for the clients.

Although I am opposed to the idea I also see the good in it. Not all people know how to handle all security, some companies are to small to handle the security aspect and so on and so forth.

How I deal with it:

Sure I am not going to go around saying I know it all because I know I am far far from that. But this is how I handle my security. Every 6 - 8 mo. I have a company come in to audit our security. This is done in many banks and other high(er?) profile places. However it is important to know who you are dealing with. We have had a long relationship with the company we are currently working with and we feel very comforable with them (but not to comfortable).

Well although I can see a use for outsourcing security it ain't for me!

So I guess we're talking about outsourcing to India, or countries as such. Not to be racist or anything, but I don't think that security outsourced to India will have the same results as it has in the home country.

I think you have been watching too many political campaign commercials. While many IT jobs- mainly customer supprt / helpdesk and a good chunk of development- do in fact get outsourced overseas, that is not the point of my inquiry.

I am talking about hiring firms that specialize in security to handle your computer and network security for you rather than building it in house. I am referring to contracting with companies like BAI Security or Guarded Networks or Internet Security Systems (ISS) to implement and maintain your network security rather than purchasing the equipment and hiring the staff with the knowledge and skill level to properly secure and maintain your environment.

Depends. The first initial reaction of a security person is that it is a bad idea.

Different perspective, business related:

We outsource HR, Payroll, web hosting, payment systems, etc and all have some level of risk involved. In fact a breach in HR may not be a major financial loss but definitely embarrassing if all employee records get out. On the other hand an outsourced payment system could be infinitely more devastating and cause extreme financial loss.

I bet if you asked an HR person about outsourcing, he or she would have the same disgusted reaction to their own area of expertise. Unless one has a full time staff of dedicated experts setting in a NOC 24-7 and has systems so critical that NONE of it is outsourced, then outsourcing becomes a reality and it especially becomes a reality when a business has NO IT dept on staff. In that case it is even more of a benefit because now there is some oversight into what an IT consultant does outside of "trusting his word".

In fact that may be the real reaction, including my own, of having someone else outside of IT looking into a sacred domain and telling us IT folks, what sites we can and cannot go to. In addition to that example, increased government scrutiny in some business arenas make it very difficult to keep an administrator and a security officer the same person. In these circumstances it is a very common situation where those two salaries are not compatible with budget concerns. And even when they are, there is a growing desire by investors and government regulators to have EXTERNAL controls in place. It's becoming a lot like accounting, for example. NO company operates on its own internal accounting procedures and not establish external oversight by trusted organizations. You wouldn't hire them or a lawyer without some severe scrutiny, and you wouldn’t outsource your security devices without it either. In some cases you may even find the opposite is true, they (the outsourced security folks) may know much more than you do.

Besides it's not like your have to hand over the keys, just a gateway monitoring box or patch management. It could even be having someone come in and develop a template or a checklist for administrators to follow and submit results. Layers and oversight.

At least around here a lot of security is outsourced already. The company that monitors our alarm system for fires and burglary is not even in this city. The security guard at the door doesn't work for me and neither does the company that fixes the cameras and door locks. It’s sometimes a better move to let people who know security and can carry a gun, work the physical doorway and those people could be in a positions to pose a much larger risk at times.

\\EDIT I think you hit it Tony, outsourcing has become to mean jobs going overseas or something nagative to American workers. In this context it simply means the person doing the job is NOT an employee of the Business or group.

West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.

The absolute basis for security is trust.... Or to be more precise the lack of trust in everything and everyone. Ultimately however, someone must be trusted and in many cases must then trust others. The size of the organization really dictates the number of people in the "ring of trust". My organization is small enought that I can limit the ring of trust to myself. None of my employees know everything I do, that's not a slight on them, it's me doing my job. My bosses trust me to have the very best interests of the company in mind and that, should we part ways that I am not the kind of person to do something stupid... Why? Because I have made it quite clear to them that it is beyond my ability to be able to do something to the company that isn't tracable to me, (those of you that think you are that good.... remember.... there's always someone "bigger" or "faster" then you.... .

Now when you get to larger organizations the ring of trust expands, naturally. The question really comes down to is how far can you extend the ring before it's potential for breaking becomes part of the risk itself? It's my opinion that if your risk assessment indicates that you have significant assets to protect then it is your responsibility to provide the security assets commensurate to the threat. But that does not mean extending the ring to entities you have less control over since extending the ring also means granting certain rights to the very assets you have to protect.

The "Ring of Trust" is the key to security in _every_ field that requires any form of security. The key to the ring is maintaining the smallest ring possible. With due respect to those who are decent, responsible and trustable that sell themselves as "outsourced security" you need to understand that the act of selling your product is contrary to the basic rule of security.

It's my 2c on the subject.....

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

In a previous life, I worked for a company that did this (outsourced it's security). Now I was picked up by the outsource company (who I will not name - legal stuff ) and was charged with managing the companies security. As time passed, I was also used on other projects (pimping my talent) thus restricting the amount of time I could work with the original contact. The original contact (company) was getting pissed off because of the lack of dedication to their systems and the outsource company was getting pissed off at me but refused to hire any more security people. In the long run I got the hell out of there just in time to watch both companies go down the drain (they both don't exist anymore) This has somewhat soured my view on outsourcing security.

Since i use to work as a Outsourcer ("Consultant") I have another idea of outsourcing.

Outsourcing of anything isnt good. However, you must see the facts:

- if the company doesnt have good technical staff, its REALLY better outsource the service
- I use to see a lot of "dumbass" secadmins, just screwing all security just because they are "secadm" guy - but knows NOTHING or worst
- For some companies (i.e. Banks- i receive good $$$ from that market) the effort of taking care of all aspects of security is simply impossible. So, they use to have a small team (Core security team) that coordinates all outsourced guys.
- But for most, its simply better transfer to other internet monitoring, patch maintenance, vulnerability survey, etc

I would prefer that all service is done by inside people BUT

Its better doing well with an outsourcing company that doing crap with "my guys"

Believe me. Some big companies (i can name one or two on USA that ive worked to) have a HUGE security team and just do..... nothing..

if the company doesnt have good technical staff, its REALLY better outsource the service

If the risk assessment dictates that you have assests to protect then those assets have a value. If the assets have a value then they have a cost associated in securing them that is commensurate with the value.....

People..... Security, while being a bottom line issue, it _isn't_ one of those areas where you can "snip" away at the cost and be able _honestly_ say that you have done the right thing in that arena. You either take it seriously or you are paying "lip service" to it..... Paying "lip service" will, unless you are incredibly lucky, cost you more in the end. It's a fact of life.... Really....

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

We outsourced our helpdesk functions not so long ago, went through a lengthy tender process and the company who won the tender, not necessarily lowest cost here folks, could not render the service effectively on any level. we recruited 310 IT Technician staff, brought in a helpdesk solution.

Point being made here, is that Security cannot be taken lightly. Placing ones trust in a company does make the circle ever bigger, like tiger says, the cost of recovery, due diligence etc could add up to a lot more than skilling ones own people for the job. i believe that the job of outsourcing a critical function should not be done. having a reputable thrid party pen testing and auditing etc, is always a good thing. making sure that one has the necessary internal processes inplace that accomodate and promote business continuity and the securing of the intellectual property thereof should be done by the bastions of the corporations.

The counter claim could be, one skills them up and they leave, then one is lost again, tis why internal controls are so important..... external factors, the ones i cannot control, such as my security company leaving with perhaps info pertaining to my business is a risk i would rather not take .....

I am going rock climbing and I have the choice to pay extra so my lifelong friend who is also a very experienced rock climber(who has come on multiple rock climbing trips with me before) can come with me, or I save some money and hire a guide who says he knows the route and has had a lot of experience climbing before.

When my rope breaks and I start falling down, knowing that the only thing between me and death is the responce time and accessment ability of my teammate, I would choose for it to be my best friend because I already know he has the capability and experience to save me.